New Malware Attacking Windows & MS Office Users


A sophisticated malware campaign has been identified, specifically targeting Windows and Microsoft Office users through cracked software.

This malicious operation leverages software cracks, often sought after for unauthorized activation of popular software, to distribute Remote Access Trojans (RATs) and coin miners, posing significant risks to personal and organizational cybersecurity.

Persistent Threats Through Clever Mechanisms

Once installed on a victim’s system, the malware employs advanced techniques to ensure its persistence.

It cleverly registers commands within the task scheduler, which allows it to maintain a foothold on the infected system.

Free Webinar on Live API Attack Simulation: Book Your Seat | Start protecting your APIs from hackers

According to the recent report from Broadcom, this persistence enables the continuous installation of new malware payloads, even after initial removal attempts, making it a particularly stubborn and dangerous threat.

Symantec, a leading cybersecurity firm, has identified several indicators of compromise associated with this campaign, including adaptive-based, carbon black-based, file-based, machine learning-based, and web-based indicators.

These indicators help detect and block the malicious activities initiated by this malware.

The malware variants identified in this campaign, such as ACM.Ps-Http!g2, ACM.Ps-Masq!g1, and ACM.Ps-Reg!g1, are effectively detected and blocked by existing policies within VMware Carbon Black products.

VMware Carbon Black recommends policies that, at a minimum, block all types of malware from executing, including known malware, suspect malware, and potentially unwanted programs (PUPs).

This approach, coupled with a delay in execution for cloud scans, maximizes the benefits derived from VMware Carbon Black Cloud’s reputation service.

File-Based and Machine Learning-Based Detection

The campaign also utilizes downloader malware and Trojan horses, identified as ISB.Downloader!gen221 and Trojan.Gen.MBT, respectively.

These threats are part of a broader strategy that uses advanced machine learning-based detection mechanisms, such as Heur.AdvML.A!300 and Heur.AdvML.B series to identify and neutralize potential threats before they can cause harm.

The operation’s web-based component involves using observed domains and IP addresses covered under security categories in all WebPulse-enabled products.

This comprehensive coverage ensures that attempts to communicate with command and control servers or download additional malicious payloads are blocked, further protecting users from the campaign’s reach.

This malware campaign underscores the risks associated with downloading and using cracked software.

Beyond the legal and ethical implications, such software exposes users to significant cybersecurity threats.

Users are urged to download software only from official vendor websites and to employ robust cybersecurity measures, including reputable antivirus and antimalware solutions, to protect against such sophisticated threats.

Is Your Network Under Attack? - Read CISO’s Guide to Avoiding the Next Breach - Download Free Guide



Source link